server: verbosity: 1 statistics-interval: 0 statistics-cumulative: no extended-statistics: yes num-threads: 4 # Listen only on loopback and pvt.example.com IPv4/IPv6 interfaces. # The default is to listen to localhost (127.0.0.1 and ::1). # The listen interfaces are not changed on reload, only on restart. interface: 127.0.0.1 interface: ::1 interface: interface: interface-automatic: no outgoing-port-permit: 32768-60999 outgoing-port-avoid: 0-32767 so-reuseport: yes ip-transparent: yes max-udp-size: 3072 # Control which clients are allowed to make (recursive) queries # to this server. Specify classless netblocks with /size and action. # By default everything is refused, except for localhost. access-control: 127.0.0.0/8 allow access-control: ::1 allow access-control: access-control: chroot: "" username: "unbound" directory: "/etc/unbound" log-time-ascii: yes pidfile: "/var/run/unbound/unbound.pid" harden-glue: yes harden-dnssec-stripped: yes harden-below-nxdomain: yes harden-referral-path: yes qname-minimisation: yes aggressive-nsec: yes unwanted-reply-threshold: 10000000 prefetch: yes prefetch-key: yes rrset-roundrobin: yes minimal-responses: yes module-config: "ipsecmod validator iterator" trust-anchor-signaling: yes root-key-sentinel: yes trusted-keys-file: /etc/unbound/keys.d/*.key auto-trust-anchor-file: "/var/lib/unbound/root.key" # Ignore chain of trust. Domain is treated as insecure. domain-insecure: domain-insecure: domain-insecure: "4.7.1.6.8.4.4.6.5.6.2.5.2.6.c.f.ip6.arpa" val-clean-additional: yes val-permissive-mode: no serve-expired: yes val-log-level: 1 # By default, for a number of zones a small default 'nothing here' # reply is built-in. Query traffic is thus blocked. If you # wish to serve such zone you can unblock them by uncommenting one # of the nodefault statements below. # You may also have to use domain-insecure: zone to make DNSSEC work, # unless you have your own trust anchors for this zone. # local-zone: "localhost." nodefault # local-zone: "127.in-addr.arpa." nodefault # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault local-zone: local-zone: local-zone: "4.7.1.6.8.4.4.6.5.6.2.5.2.6.c.f.ip6.arpa" nodefault include: /etc/unbound/local.d/*.conf ipsecmod-enabled: no ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook python: remote-control: control-enable: yes server-key-file: "/etc/unbound/unbound_server.key" server-cert-file: "/etc/unbound/unbound_server.pem" control-key-file: "/etc/unbound/unbound_control.key" control-cert-file: "/etc/unbound/unbound_control.pem" # Stub and Forward zones include: /etc/unbound/conf.d/*.conf # Stub zones. # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of nameservers. list zero or more # nameservers by hostname or by ipaddress. If you set stub-prime to yes, # the list is treated as priming hints (default is no). # Consider adding domain-insecure: name and local-zone: name nodefault # to the server: section if the stub is a locally served zone. stub-zone: name: "" stub-addr: stub-addr: stub-zone: name: "" stub-addr: stub-addr: stub-zone: name: "4.7.1.6.8.4.4.6.5.6.2.5.2.6.c.f.ip6.arpa" stub-addr: 192.168.62.10 stub-addr: fc62:5265:6448:6174::a # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle # recursion to other nameservers. List zero or more nameservers by hostname # or by ipaddress. Use an entry with name "." to forward all queries. forward-zone: name: "" forward-addr: auth-zone: name: "." for-downstream: no for-upstream: yes fallback-enabled: yes master: b.root-servers.net master: c.root-servers.net master: e.root-servers.net master: f.root-servers.net master: g.root-servers.net master: k.root-servers.net